P2PInfect is a highly sophisticated peer-to-peer worm that targets instances of the popular open-source database software Redis. It is written in Rust and exploits CVE-2022-0543, a critical sandbox escape vulnerability in the Lua Library.

How does P2PInfect spread?

P2PInfect infiltrates Redis instances and assimilates them into a larger peer-to-peer network. This allows it to rapidly spread and establish a foothold in cloud container environments.

What sets P2PInfect apart from other Redis worms?

P2PInfect's ability to create a P2P network and spread rapidly differentiates it from other Redis-targeting worms, such as cryptojacking malware operated by Adept Libra and Thief Libra.

What are P2PInfect's persistence techniques?

P2PInfect uses a process named 'Monitor' in the Temp folder to download multiple randomly named executables and an encrypted configuration file. This ensures its long-term presence on infected systems.

Does P2PInfect engage in cryptomining?

While P2PInfect establishes connections to a large botnet, samples suggest the presence of 'miner' and 'winminer' files. However, concrete evidence of cryptomining using the infected instances is yet to be found.

How many Redis instances are vulnerable to P2PInfect?

Out of 307,000 publicly-communicating Redis instances, 934 have been identified as vulnerable to P2PInfect's rapid spread.

What methods does P2PInfect use to gain foothold in systems?

P2PInfect primarily gains access to systems through two methods: exploiting the critical vulnerability CVE-2022-0543, which enables remote code execution on compromised Redis instances, and utilizing the Redis replication feature to create a peer-to-peer network of infected servers.

What happens after P2PInfect gains access to a Redis instance?

P2PInfect downloads new OS-specific scripts and malicious binaries, adding the infected server to its network of compromised systems. It uses sophisticated techniques to establish persistence on the compromised host and modify firewall settings, preventing legitimate access while granting unrestricted access to the worm operators.

Advisory

Worm attacks exposed Redis Instances using CVE-2022-0543 Lua Library exploit

published: July 20, 2023

Take action: Very bad and very important news for teams that manage publicly visible and unpatched Redis systems. Usually Redis is closed inside the confines of an internal product and not exposed. Make sure your Redis is not exposed externally. If it is, insist on patching it immediately.

Learn More

Security researchers have discovered a highly sophisticated peer-to-peer (P2P) worm named 'P2PInfect' that targets instances of the popular open-source database software Redis. This worm, written in Rust, exploits CVE-2022-0543 (CVSS3 score 10.0) - a critical sandbox escape vulnerability in the Lua Library.

The P2PInfect worm is designed to infiltrate Redis instances and assimilate them into a larger P2P network, allowing it to spread rapidly and establish a foothold in cloud container environments. This sets it apart from other worms targeting Redis, such as the cryptojacking malware operated by Adept Libra (aka TeamTnT) and Thief Libra (aka WatchDog).

Upon gaining access to a Redis instance, P2PInfect executes a Powershell script to modify local firewall settings, thereby preventing the legitimate owners from accessing the infected instance while granting unrestricted access to the worm operators.

One of the worm's sophisticated persistence techniques involves a process named 'Monitor,' stored in the Temp folder within a user's AppData directory. This process downloads multiple randomly named P2PInfect executables along with an encrypted configuration file, ensuring its long-term presence on infected systems.

The researchers have observed that P2PInfect establishes a P2P connection via port 60100 to a large command and control (C2) botnet. While samples downloaded from the C2 include files labeled 'miner' and 'winminer,' there is no concrete evidence yet of P2PInfect engaging in cryptomining using the infected instances. However, experts speculate that the worm may be laying the groundwork for future campaigns, potentially involving mining activities using the botnet.

The worm's rapid spread has been noted, with 934 out of 307,000 publicly-communicating Redis instances identified as vulnerable.

Update - researchers have describe in detail the attack process:

The malware, written in Rust, has versions tailored for both Windows and Linux operating systems, making it a cross-platform threat. It primarily gains a foothold in systems through two methods:

Exploiting Critical Vulnerability: P2PInfect takes advantage of a critical vulnerability known as CVE-2022-0543. This vulnerability is specific to Debian systems and involves a LUA sandbox escape issue that allows remote code execution. With a severity score of 10 out of 10, this vulnerability is highly dangerous and enables the malware to execute arbitrary code on compromised Redis instances.
Utilizing Redis Replication Feature: The malware also exploits the Redis replication feature, which allows the creation of exact replicas of the main/leader Redis instance. By exploiting this feature, the malware can establish a peer-to-peer network of infected Redis servers, enabling it to spread and coordinate without the need for a centralized command and control server.

Once P2PInfect gains access to a vulnerable Redis instance, it downloads new OS-specific scripts and malicious binaries. It then adds the infected server to its network of compromised systems. Notably, P2PInfect is designed to work on both Windows and Linux systems, increasing its reach and potential impact.

Worm attacks exposed Redis Instances using CVE-2022-0543 Lua Library exploit